Merge tag '0.20170303'

tagging package keysafe version 0.20170303

# gpg: Signature made Fri 03 Mar 2017 01:20:36 PM MST
# gpg:                using RSA key E85A5F63B31D24C1EBF0D81CC910D9222512E3C7
# gpg: Good signature from "Joey Hess <id@joeyh.name>" [full]
# Primary key fingerprint: E85A 5F63 B31D 24C1 EBF0  D81C C910 D922 2512 E3C7

21 files changed, 159 insertions, 111 deletions

diff --git a/ByteStrings.hs b/ByteStrings.hs
index cecf617..90b42f0 100644
--- a/ByteStrings.hs
+++ b/ByteStrings.hs
@@ -1,5 +1,3 @@
-{-# OPTIONS_GHC -fno-warn-orphans #-}
-
 {- Copyright 2016 Joey Hess <id@joeyh.name>
  -
  - Licensed under the GNU AGPL version 3 or higher.
@@ -9,8 +7,6 @@ module ByteStrings where
 
 import qualified Data.ByteString as B
 import qualified Raaz
-import Control.Monad
-import Data.Word
 
 allByteStringsOfLength :: Int -> [B.ByteString]
 allByteStringsOfLength = go []
@@ -34,9 +30,8 @@ chunkByteString n = go []
 			let (h, t) = B.splitAt n b
 			in go (h:cs) t
 
-instance Raaz.Random Word8
-
-randomByteStringOfLength :: Int -> Raaz.SystemPRG -> IO B.ByteString
-randomByteStringOfLength n prg = B.pack <$> replicateM n randbyte
+randomByteStringOfLength :: Int -> IO B.ByteString
+randomByteStringOfLength n = Raaz.securely gen
   where
-	randbyte = Raaz.random prg :: IO Word8
+	gen :: Raaz.RandM B.ByteString
+	gen = Raaz.randomByteString (Raaz.BYTES n)
diff --git a/CHANGELOG b/CHANGELOG
index 8d8036b..60167a0 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,9 @@
+keysafe (0.20170303) unstable; urgency=medium
+
+  * Updated to use raaz-0.1.1.
+
+ -- Joey Hess <id@joeyh.name>  Fri, 03 Mar 2017 16:15:47 -0400
+
 keysafe (0.20170122) unstable; urgency=medium
 
   * Adjust cabal bounds to allow building with ghc 8.0.
diff --git a/Encryption.hs b/Encryption.hs
index 880095d..3e085a0 100644
--- a/Encryption.hs
+++ b/Encryption.hs
@@ -32,10 +32,9 @@ encrypt :: Tunables -> KeyEncryptionKey -> SecretKey -> EncryptedSecretKey
 encrypt tunables kek (SecretKey secret) = 
 	EncryptedSecretKey (chunkByteString (objectSize tunables) b) (keyBruteForceCalc kek)
   where
-	-- Raaz does not seem to provide a high-level interface
-	-- for AES encryption, so use unsafeEncrypt. The use of 
-	-- EncryptableBytes makes sure it's provided with a 
-	-- multiple of the AES block size.
+	-- Raaz does not provide a high-level interface for AES encryption,
+	-- so we use unsafeEncrypt. The use of EncryptableBytes makes
+	-- sure it's provided with a  multiple of the AES block size.
 	b = Raaz.unsafeEncrypt cipher (keyEncryptionKey kek, keyEncryptionIV kek) $
 		getEncryptableBytes $ encodeEncryptableBytes tunables secret
 
@@ -104,8 +103,7 @@ instance HasDecryptionCost (Candidates a) where
 -- run the hash repeatedly.
 genKeyEncryptionKey :: Tunables -> Name -> Password -> IO KeyEncryptionKey
 genKeyEncryptionKey tunables name password = do
-	prg <- Raaz.newPRG () :: IO Raaz.SystemPRG
-	saltprefix <- genRandomSaltPrefix prg tunables
+	saltprefix <- genRandomSaltPrefix tunables
 	return $ head $
 		genKeyEncryptionKeys [saltprefix] tunables name password
 
@@ -144,12 +142,12 @@ genIV (Name name) =
 		Raaz.fromByteString $ B.take ivlen $
 			Raaz.toByteString $ Raaz.sha256 name
   where
-	ivlen = fromIntegral $ Raaz.byteSize (undefined :: Raaz.IV)
+	ivlen = fromIntegral $ Raaz.sizeOf (undefined :: Raaz.IV)
 
 type SaltPrefix = B.ByteString
 
-genRandomSaltPrefix :: Raaz.SystemPRG -> Tunables -> IO SaltPrefix
-genRandomSaltPrefix prg tunables = randomByteStringOfLength n prg
+genRandomSaltPrefix :: Tunables -> IO SaltPrefix
+genRandomSaltPrefix tunables = randomByteStringOfLength n
   where
 	n = randomSaltBytes $ keyEncryptionKeyTunable tunables
 
@@ -164,7 +162,7 @@ hashToAESKey (ExpensiveHash _ t) =
 	fromMaybe (error "hashToAESKey fromByteString failed") $
 		Raaz.fromByteString b
   where
-	b = B.take (fromIntegral $ Raaz.byteSize (undefined :: AesKey)) $
+	b = B.take (fromIntegral $ Raaz.sizeOf (undefined :: AesKey)) $
 		Raaz.toByteString $ Raaz.sha256 (E.encodeUtf8 t)
 
 -- | A bytestring that can be AES encrypted.
diff --git a/HTTP/ProofOfWork.hs b/HTTP/ProofOfWork.hs
index a94b19b..61fea20 100644
--- a/HTTP/ProofOfWork.hs
+++ b/HTTP/ProofOfWork.hs
@@ -95,10 +95,13 @@ mkProofOfWorkRequirement (Seconds n)
 
 newtype RequestIDSecret = RequestIDSecret (Raaz.Key (Raaz.HMAC Raaz.SHA256))
 
+-- | Random data is generated insecurely, eg not locked in memory because
+-- this is a transient secret.
 newRequestIDSecret :: IO RequestIDSecret
-newRequestIDSecret = do
-	prg <- Raaz.newPRG () :: IO Raaz.SystemPRG
-	RequestIDSecret <$> Raaz.random prg
+newRequestIDSecret = RequestIDSecret <$> Raaz.insecurely gen
+  where
+	gen :: Raaz.RandM (Raaz.Key (Raaz.HMAC Raaz.SHA256))
+	gen = Raaz.random
 
 mkRequestID :: RequestIDSecret -> IO RequestID
 mkRequestID secret = mkRequeestID' secret <$> mkRandomSalt
@@ -113,11 +116,15 @@ validRequestID secret rid =
 	let rid' = mkRequeestID' secret (randomSalt rid)
 	in requestHMAC rid == requestHMAC rid'
 
+-- | Random data is generated insecurely, eg not locked in memory because
+-- this is a transient secret.
 mkRandomSalt :: IO RandomSalt
 mkRandomSalt = do
-	prg <- Raaz.newPRG () :: IO Raaz.SystemPRG
-	rs <- replicateM 16 (Raaz.random prg :: IO Word8)
+	rs <- Raaz.insecurely $ replicateM 16 gen
 	return $ RandomSalt $ T.pack $ concatMap show rs
+  where
+	gen :: Raaz.RandM Word8
+	gen = Raaz.random
 
 class POWIdent p where
 	getPOWIdent :: p -> B.ByteString
diff --git a/HTTP/Server.hs b/HTTP/Server.hs
index 6fd570d..61bdbfd 100644
--- a/HTTP/Server.hs
+++ b/HTTP/Server.hs
@@ -18,7 +18,6 @@ import CmdLine (ServerConfig(..))
 import Storage.Local
 import Serialization ()
 import Servant
-import Network.Wai
 import Network.Wai.Handler.Warp
 import Control.Monad.IO.Class
 import Control.Concurrent
diff --git a/Share.hs b/Share.hs
index 2d848b9..6d39f99 100644
--- a/Share.hs
+++ b/Share.hs
@@ -94,7 +94,8 @@ genShares (EncryptedSecretKey cs _) tunables = do
 combineShares :: Tunables -> [S.Set Share] -> Either String EncryptedSecretKey
 combineShares tunables shares
 	| null shares || any null shares || any (\l -> length l < sharesneeded) shares = 
-		Left "Not enough shares are currently available to reconstruct your data."
+		Left $ "Not enough shares are currently available to reconstruct your data. " ++
+			concatMap (\l -> "(Got " ++ show (length l) ++ "/" ++ show sharesneeded ++ ") ") shares
 	| otherwise = Right $ mk $
 		map (BL.toStrict . SS.decode . map decodeshare . S.toList) shares
   where
diff --git a/Storage.hs b/Storage.hs
index c481d77..feb5791 100644
--- a/Storage.hs
+++ b/Storage.hs
@@ -26,7 +26,6 @@ import Control.Concurrent.Async
 import qualified Data.Set as S
 import System.Random
 import System.Random.Shuffle
-import qualified Raaz
 
 networkStorageLocations :: Maybe LocalStorageDirectory -> StorageLocations
 networkStorageLocations = StorageLocations . serverList
@@ -171,25 +170,24 @@ storeChaff :: HostName -> Port -> Maybe Seconds -> IO ()
 storeChaff hn port delayseconds = forever $ do
 	say $ "Sending chaff to " ++ hn ++ " (press ctrl-c to stop)"
 	say "Legend: + = successful upload, ! = upload failure"
-	prg <- Raaz.newPRG () :: IO Raaz.SystemPRG
-	randomname <- randomByteStringOfLength 128 prg
+	randomname <- randomByteStringOfLength 128
 	-- It's ok the use the testModeTunables here because
 	-- the randomname is not something that can be feasibly guessed.
 	-- Prefix "random chaff" to the name to avoid ever using a name
 	-- that a real user might want to use.
 	let sis = shareIdents testModeTunables (Name $ "random chaff:" <> randomname) AnyGpgKey
-	mapConcurrently (go sis prg)
+	mapConcurrently (go sis)
 		[1..totalObjects (shareParams testModeTunables)]
   where
 	server = networkStorage Untrusted Nothing $ 
 		Server (ServerName hn) [ServerAddress hn port] "chaff server"
 	objsize = objectSize defaultTunables * shareOverhead defaultTunables
 	maxmsdelay = ceiling $ 1000000 * fromMaybe 0 delayseconds
-	go sis prg n = do
+	go sis n = do
 		msdelay <- getStdRandom (randomR (0, maxmsdelay))
 		delay msdelay
 
-		b <- randomByteStringOfLength objsize prg
+		b <- randomByteStringOfLength objsize
 		let share = Share 0 (StorableObject b)
 		let (is, sis') = nextShareIdents sis
 		let i = S.toList is !! (n - 1)
@@ -197,7 +195,7 @@ storeChaff hn port delayseconds = forever $ do
 		case r of
 			StoreSuccess -> progress "+"
 			_ -> progress "!"
-		go sis' prg n
+		go sis' n
 
 -- | Shuffles the list, keeping Recommended first, then
 -- Alternate, and finally Untrusted.
diff --git a/TODO b/TODO
index 18426bf..7b56c90 100644
--- a/TODO
+++ b/TODO
@@ -2,6 +2,20 @@ Soon:
 
 * Finish vetting 2 servers to Recommended.
 * Set up --check-servers in a cron job, so I know when servers are down.
+* Remove gpg key passohrase from gpg keys that keysafe backs up.
+  The reason for this is that the user may well forget their gpg key
+  passphrase, and it's *weird* to restore a key with keysafe's password
+  and then have it passphrase protected.
+  The gpg key passphrase is intended only to keep a key from being used
+  for a short period of time (a week or so) when the device holding it 
+  is known to have been compromised, so the key can be revoked.
+  This doesn't really apply to keys backed up with keysafe -- if they get
+  compromised somehow, the user won't know, and cracking the gpg passphrase
+  should be almost trivial to an attacker who was able to break keysafe's
+  password.
+  paperkey can remove gpg key passphrases. Is there any better way?
+  It might make sense for keysafe to prompt for a new gpg passphrase
+  when restoring.
 
 Later:
 
@@ -25,11 +39,6 @@ Later:
 * Add some random padding to http requests and responses, to make it
   harder for traffic analysis to tell that given TOR traffic is
   keysafe traffic.
-* Argon2d is more resistent to GPU/ASIC attack optimisation.
-  Switching from Argon2i would require new tunables, and delay restores
-  (of keys backed up using the old tunables, and when the user provides the
-  wrong name) by ~10 minutes, so deferred for now
-  until there's some other reason to change the tunables.
 
 Wishlist:
 
@@ -72,3 +81,20 @@ Wishlist:
   restore from working. (It also makes a malicious data attack (as described
   in https://keysafe.branchable.com/details/) possible by attackers who do not
   control the servers.
+
+Encryption tunables changes:
+
+* Argon2d is more resistent to GPU/ASIC attack optimisation.
+  Switching from Argon2i would require new tunables, and delay restores
+  (of keys backed up using the old tunables, and when the user provides the
+  wrong name) by ~10 minutes, so deferred for now
+  until there's some other reason to change the tunables.
+* The ShareIdents derivation currently appends a number and sha256 hashes
+  to generate a stream of values. Ben M points out that HMAC is a more
+  typical way to do such a thing. Even better, a HKDF-Expand
+  (RFC5869) can generate a stream which can then be chunked up into values.  
+  Either of these would avoid a full pre-image attack on SHA-2 breaking
+  keysafe. Of course, such an SHA-2 attack would be a general security
+  disaster. HKDF may prove more robust in the face of partial SHA-2 breaks.
+  Deferred for now until tthere's some other reason to change keysafe's
+  tunables.
diff --git a/doc/details.mdwn b/doc/details.mdwn
index e0f85e5..b014b2b 100644
--- a/doc/details.mdwn
+++ b/doc/details.mdwn
@@ -363,3 +363,37 @@ This could be used in several ways:
   objects for both. If the user is being forced to give up their keysafe
   name and password, they could provide the fake name, and if it were
   used, their data would get deleted from the keysafe servers.
+
+### Better object-id derivation
+
+An idea from Ben M:
+
+> I was the fellow who mentioned using an HMAC instead of
+> append-index-and-hash to generate the object-ids in keysafe.
+> 
+> That's probably an okay approach if you need to bind the output to a
+> particular input string, but on reflection (unless I missed something)
+> it would be equivalent for keysafe to take a stream and chop it up, then
+> just "number" the chunks sequentially.
+> 
+> In that case, the "most correct" choice would probably be HKDF (RFC5869
+> [1]).  Specifically, the second part of HKDF -- "HKDF-Expand".
+> 
+> (The first part, HKDF-Extract, is appropriate to apply /before/ key
+> stretching, but stretching itself serves much the same purpose --
+> removing "structure" from the input key.  Especially given that Argon2
+> is designed specifically to handle user passwords, I expect that
+> HKDF-Extract is entirely unnecessary here.)
+> 
+> HKDF is what TLS 1.3 will use to expand its per-session master keys into
+> individual keys for encryption and MACing [2], and AFAIK is generally
+> considered The Right Way to generate a stream of distinct keys from a
+> master key, where the compromise of any key should not permit derivation
+> of the others.
+> 
+> So, um.  Pretend I never mentioned HMAC, but spruiked HKDF instead :)
+> 
+> (Of course, this is pretty much bikeshedding.  A first pre-image attack
+> on SHA-2 in the near term would be a rude shock, and a full break would
+> break HKDF too.  But HKDF may prove more robust in the face of partial
+> breaks, giving more time to move everyone to a new hash or scheme.)
diff --git a/doc/index.mdwn b/doc/index.mdwn
index e0cda48..873eb35 100644
--- a/doc/index.mdwn
+++ b/doc/index.mdwn
@@ -40,14 +40,20 @@ For a more in-depth explanation, and some analysis of different attack
 vectors (and how keysafe thwarts them), see [[details]].
 Also, there's a [[FAQ]].
 
+Here's a video explaining keysafe:
+
+<html>
+<video controls width=400 src="http://mirror.linux.org.au/pub/linux.conf.au/2017/securely_backing_up_gpg_private_keys_to_the_cloud.webm"></video>
+</html>
+
 ## News
 
-[[!inline pages="code/keysafe/news/* and !*/Discussion" show="3"]]
+[[!inline pages="news/* and !*/Discussion" show="3"]]
 
 ## Installation
 
-Keysafe is now available in Debian experimental. Install it from there, or
-from source.
+Keysafe is now available in [Debian experimental](https://wiki.debian.org/DebianExperimental).
+Install it from there, or from source.
 
 ## Git repository
 
@@ -63,9 +69,9 @@ libraries, and zenity. For example, on a Debian system:
 
 	sudo apt-get install haskell-stack libreadline-dev libargon2-0-dev zenity
 
-Then to build and install keysafe:
+Then to build and install keysafe, cd into its source tree and run:
 
-	stack install keysafe
+	stack install
 
 Note that there is a manpage, but stack doesn't install it yet.
 
diff --git a/doc/news/version_0.20160927.mdwn b/doc/news/version_0.20160927.mdwn
deleted file mode 100644
index 1787aa5..0000000
--- a/doc/news/version_0.20160927.mdwn
+++ /dev/null
@@ -1,20 +0,0 @@
-keysafe 0.20160927 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Makefile: Avoid rebuilding on make install, so that sudo make install works.
-   * Added --chaff-max-delay option for slower chaffing.
-   * Fix embedded copy of Argon2 to not use Word64, fixing build on 32 bit
-     systems.
-   * Randomize the server list.
-   * Don't upload more than neededshares-1 shares to Alternate servers
-     without asking the user if they want to do this potentially dangerous
-     action.
-   * Added a second keysafe server to the server list. It's provided
-     by Marek Isalski at Faelix. Currently located in UK, but planned move
-     to CH. Currently at Alternate level until verification is complete.
-   * Server: --motd can be used to provide a Message Of The Day.
-   * Added --check-servers mode, which is useful both at the command line
-     to see what servers keysafe knows about, and as a cron job.
-   * Server: Round number of objects down to the nearest thousand, to avoid
-     leaking too much data about when objects are uploaded to servers.
-   * Filter out escape sequences and any other unusual characters when
-     writing all messages to the console."""]]
\ No newline at end of file
diff --git a/doc/news/version_0.20161006.mdwn b/doc/news/version_0.20161006.mdwn
deleted file mode 100644
index 2758b34..0000000
--- a/doc/news/version_0.20161006.mdwn
+++ /dev/null
@@ -1,10 +0,0 @@
-keysafe 0.20161006 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * New --add-storage-directory and --add-server options, which can be used
-     to make keysafe backup/restore using additional locations.
-   * Removed --store-local option; use --add-storage-directory instead.
-   * Fix bugs with entry of gpg keyid in the keysafe.log.
-   * Fix bug in --autostart that caused the full gpg keyid to be
-     used to generate object names, which made restores would only work
-     when --gpgkeyid was specifid.
-   * Remove embedded copy of argon2 binding, depend on fixed version of package."""]]
\ No newline at end of file
diff --git a/doc/news/version_0.20161007.mdwn b/doc/news/version_0.20161007.mdwn
deleted file mode 100644
index a7e8468..0000000
--- a/doc/news/version_0.20161007.mdwn
+++ /dev/null
@@ -1,9 +0,0 @@
-keysafe 0.20161007 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Check if --store-local directory is writable.
-   * Removed dependency on crypto-random.
-   * Added a LSB init script, for non-systemd systems.
-     (It currently uses Debian's start-stop-daemon, so would need porting
-     for other distributions.)
-   * /etc/default/keysafe is read by both the systemd service file and the
-     init script, and contains configuration for the keysafe server."""]]
\ No newline at end of file
diff --git a/doc/news/version_0.20161022.mdwn b/doc/news/version_0.20161022.mdwn
deleted file mode 100644
index e54f26e..0000000
--- a/doc/news/version_0.20161022.mdwn
+++ /dev/null
@@ -1,12 +0,0 @@
-keysafe 0.20161022 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * Add keywords to desktop file.
-     Thanks, Sean Whitton
-   * Fix use of .IP macro in manpage.
-     Thanks, Sean Whitton
-   * Fix some mispellings.
-     Thanks, Sean Whitton
-   * Makefile: Propagate LDFLAGS, CFLAGS, and CPPFLAGS through ghc.
-   * Makefile: Allow setting BUILDER=./Setup to build w/o cabal or stack.
-   * Makefile: Allow setting BUILDEROPTIONS=-j1 to avoid concurrent
-     build, which should make build reproducible."""]]
\ No newline at end of file
diff --git a/doc/news/version_0.20161107.mdwn b/doc/news/version_0.20161107.mdwn
deleted file mode 100644
index d98987e..0000000
--- a/doc/news/version_0.20161107.mdwn
+++ /dev/null
@@ -1,14 +0,0 @@
-keysafe 0.20161107 released with [[!toggle text="these changes"]]
-[[!toggleable text="""
-   * The third keysafe server is now available, provided by Purism.
-   * Purism's keysafe server has been vetted to Recommended level!
-   * Change default for --port to 4242.
-   * Fix --check-server to not fail when the server has not had anything
-     stored on it yet.
-   * --upload-queued: Exit nonzero if unable to upload all queued objects.
-   * --autostart: If unable to upload all queued objects initially,
-     delay between 1 and 2 hours and try again.
-   * Better suggestion when user is having difficulty thinking of a strong
-     enough password.
-   * Defer requesting secret key from gpg until just before backup, so the
-     user knows why gpg is asking for this secret key to be backed up."""]]
\ No newline at end of file
diff --git a/doc/news/version_0.20170122.mdwn b/doc/news/version_0.20170122.mdwn
new file mode 100644
index 0000000..de03c93
--- /dev/null
+++ b/doc/news/version_0.20170122.mdwn
@@ -0,0 +1,8 @@
+keysafe 0.20170122 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+   * Adjust cabal bounds to allow building with ghc 8.0.
+     However, the stack.yaml is still using an old LTS version
+     to avoid polynomial's failure to build with ghc 8.0
+     (https://github.com/mokus0/polynomial/issues/8)
+   * Clarify that dollars in cost estimates are USD.
+   * Keysafe has a new website, https://keysafe.branchable.com/"""]]
\ No newline at end of file
diff --git a/doc/todo/Update_to_new_version_of_raaz___40__0.1.1__41__.mdwn b/doc/todo/Update_to_new_version_of_raaz___40__0.1.1__41__.mdwn
new file mode 100644
index 0000000..c05748c
--- /dev/null
+++ b/doc/todo/Update_to_new_version_of_raaz___40__0.1.1__41__.mdwn
@@ -0,0 +1,10 @@
+New version of raaz is released and will hopefully end up in debian expt. soon. 
+It would be good if we can get keysafe to use the new interface as there is some breakage
+but hope fully good ones.
+
+
+Ref.
+
+https://github.com/raaz-crypto/raaz/issues/278
+
+> [[done]] --[[Joey]]
diff --git a/doc/todo/Update_to_new_version_of_raaz___40__0.1.1__41__/comment_1_5f3f9b9337e82674dc03a3de4b96ac9f._comment b/doc/todo/Update_to_new_version_of_raaz___40__0.1.1__41__/comment_1_5f3f9b9337e82674dc03a3de4b96ac9f._comment
new file mode 100644
index 0000000..0c9734e
--- /dev/null
+++ b/doc/todo/Update_to_new_version_of_raaz___40__0.1.1__41__/comment_1_5f3f9b9337e82674dc03a3de4b96ac9f._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2017-03-03T19:30:06Z"
+ content="""
+Got it to compile without a great deal of difficulty. Only needed changes
+around random data generation, and that is done with secure memory now
+(in cases where it matters), which is nice! (Although I still need to do
+further work to make keysafe use exclusively secure memory for gpg key
+related material.)
+
+Keysafe's test suite passes, so this *probably* avoids breaking restore of
+keys backed up before.
+
+I've committed this to master but want to test it some more before
+releasing.
+"""]]
diff --git a/doc/todo/Update_to_new_version_of_raaz___40__0.1.1__41__/comment_2_06f4ff0c86aa877656cee67ff054e9b1._comment b/doc/todo/Update_to_new_version_of_raaz___40__0.1.1__41__/comment_2_06f4ff0c86aa877656cee67ff054e9b1._comment
new file mode 100644
index 0000000..eb8a106
--- /dev/null
+++ b/doc/todo/Update_to_new_version_of_raaz___40__0.1.1__41__/comment_2_06f4ff0c86aa877656cee67ff054e9b1._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2017-03-03T20:15:04Z"
+ content="""
+Tested restore of key backed up with a previous keysafe release; still
+works after this conversion.
+"""]]
diff --git a/keysafe.cabal b/keysafe.cabal
index 064a0e8..42e95fd 100644
--- a/keysafe.cabal
+++ b/keysafe.cabal
@@ -1,5 +1,5 @@
 Name: keysafe
-Version: 0.20170122
+Version: 0.20170303
 Cabal-Version: >= 1.8
 Maintainer: Joey Hess <joey@kitenet.net>
 Author: Joey Hess
@@ -38,7 +38,7 @@ Executable keysafe
     -- the version ranges, it's important to run keysafe --test
       secret-sharing == 1.0.*
     , argon2 == 1.2.*
-    , raaz == 0.0.2
+    , raaz == 0.1.1
     , base (>= 4.5 && < 5.0)
     , bytestring == 0.10.*
     , text == 1.2.*
diff --git a/stack.yaml b/stack.yaml
index 2658ab6..0deb662 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -6,7 +6,7 @@ extra-deps:
         - dice-entropy-conduit-1.0.0.1
         - polynomial-0.7.2
         - finite-field-0.8.0
-        - raaz-0.0.2
+        - raaz-0.1.1
         - zxcvbn-c-1.0.0
         - servant-0.7.1
         - servant-server-0.7.1